By default, all resources in a CloudFormation stack are removed when the stack is deleted. To keep or copy certain resources when the stack is deleted, you can set a DeletionPolicy attribute for each resource in the CloudFormation template. For more information on how to use a DeletionPolicy attribute, see DeletionPolicy Attribute.

You can enable Termination Protection to prevent users from deleting the CloudFormation stack. By default, Termination Protection is disabled. You can enable this option when you create the stack, and you can update Termination Protection on an existing stack.

By default, all update actions are allowed on any resource in a stack. Update actions include Modify, Replace, and Delete. You can use a stack policy to allow or deny update actions on resources.

Note: After you set any stack policy, all resources in the stack are protected by default, and you must explicitly allow any resource update actions. For more information on using stack policies, see Prevent Updates to Stack Resources.

The following example stack policy prevents all update actions to the MyRoute resource, and allows update actions on all other resources in the stack:

If your organization has multiple people or departments that use the same CloudFormation stack, someone unfamiliar with your configuration might make changes that result in significant downstream impact. Be sure to set IAM policies that allow access only for those who need to work with certain AWS resources or services.